b"DEPARTMENT OF HOMELAND SECURITY\n    Office of Inspector General\n\n\n      Technical Security Evaluation of \n\n      U.S. Citizenship and Immigration \n\n         Services Activities at the \n\n      Chet Holifield Federal Building\n\n\n\n\n\nOIG-08-02                       October 2007\n\x0c                                                          Office of Inspector General\n                                                          U.S. Department of Homeland Security\n                                                          Washington, DC 20528\n\n\n\n\n                                    October 15, 2007\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nOur report addresses the strengths and weaknesses of the implementation of technical and\ninformation security policies and procedures at U. S. Citizenship and Immigration\nServices locations at the Chet Holifield Federal Building, Laguna Niguel, California. It is\nbased on interviews with employees and officials of relevant agencies and institutions,\ndirect observations, and reviews of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is\nour hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\n\nExecutive Summary ............................................................................................................ 1 \n\n\nBackground ......................................................................................................................... 2 \n\n\nResults of Review ............................................................................................................... 4\n\n\n    Systems Did Not Comply Fully With DHS Operational Control Requirements........... 4 \n\n    Recommendations...........................................................................................................8 \n\n    Management Comments and OIG Analysis ...................................................................8 \n\n\n\n    Systems Did Not Comply Fully With DHS Technical Control Requirements.............. 9 \n\n    Recommendations.........................................................................................................10\n\n    Management Comments and OIG Analysis .................................................................11 \n\n\n\n    Systems Did Not Comply Fully With DHS Management Control Requirements....... 11 \n\n    Recommendations.........................................................................................................16\n\n    Management Comments and OIG Analysis .................................................................16 \n\n\nAppendices\n\n     Appendix A:             Purpose, Scope, and Methodology .....................................................18 \n\n     Appendix B:             Management\xe2\x80\x99s Comments to the Draft Report...................................20 \n\n     Appendix C:             USCIS Novell Servers with Known Vulnerabilities ..........................24 \n\n     Appendix D:             USCIS Windows Servers with Known Vulnerabilities .....................25 \n\n     Appendix E:             Certification and Accreditation Status ..............................................28 \n\n     Appendix F:             USCIS IT Resources in Use but Not Included in Trusted Agent \n\n                             FISMA ............................................................................................32 \n\n     Appendix G:             Status of Privacy Compliance Activities for USCIS Systems ...........33 \n\n     Appendix H:             Major Contributors to This Report.....................................................36 \n\n     Appendix I:             Report Distribution ............................................................................37 \n\n\nAbbreviations\n     ATO                                    Authorized to Operate     \n\n     CHFB                                   Chet Holifield Federal Building    \n\n     CISO                                   Chief Information Security Officer     \n\n     CSIRC                                  Computer Security Incident Response Center   \n\n     DAA                                    Designated Accrediting Authority     \n\n     DHS                                    Department of Homeland Security       \n\n     DHS Directive 4300A                    DHS Sensitive Systems Policy Directive 4300A \n\n     DHS 4300A Handbook                     DHS 4300A Sensitive Systems Handbook \n\n     FBI                                    Federal Bureau of Investigation    \n\n\x0cTable of Contents/Abbreviations \n\n\n\n  FISMA         Federal Information Security Management Act\n  HVAC          Heating, Ventilation, and Air Conditioning\n  ICE           Immigration and Customs Enforcement\n  ISA           Interconnection Security Agreement\n  IT            Information Technology\n  OIG           Office of Inspector General\n  PIA           Privacy Impact Assessment\n  PTA           Privacy Threshold Analysis\n  TA-FISMA      Trusted Agent FISMA\n  USCIS         U. S. Citizenship and Immigration Services\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                      We initiated a program to determine the extent to which critical\n                      Department of Homeland Security sites comply with the\n                      department\xe2\x80\x99s technical and information security policies and\n                      procedures. Based on our internal analysis, we selected the Chet\n                      Holifield Federal Building located in Laguna Niguel, California,\n                      where the U. S. Citizenship and Immigration Services operates the\n                      California Service Center and the Western Region field office.\n\n                      Our evaluation focuses on how Citizenship and Immigration\n                      Services has implemented computer security operational, technical,\n                      and management controls for its information technology resources\n                      at this site. We performed onsite inspections of the areas where\n                      these resources were located, interviewed department staff, and\n                      conducted technical tests of internal controls, e.g., scans for\n                      wireless networks. We also reviewed applicable department\n                      policies, procedures, and other appropriate documentation.\n\n                      The information technology security controls implemented at this\n                      site have deficiencies that, if exploited, could result in the loss of\n                      confidentiality, integrity, and availability of their information\n                      technology systems. Specifically, Citizenship and Immigration\n                      Services needs to improve its physical security, environmental, and\n                      business continuity controls for its computer room. Citizenship\n                      and Immigration Services also could improve its technical controls\n                      by installing the latest patches, disabling unnecessary ports, and by\n                      improving network configuration. Additionally, management\n                      controls could be improved by completing all required certification\n                      and accreditation activities.\n\n\n\n\n     Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                             Page 1\n\n\x0cBackground\n                     We designed our Technical Security Evaluation Program to\n                     provide senior Department of Homeland Security (DHS) officials\n                     with timely information on whether they had properly\n                     implemented DHS information technology (IT) security policies at\n                     critical sites. Our program is based on DHS Sensitive Systems\n                     Policy Directive 4300A (DHS Directive 4300A), which applies to\n                     all DHS components and provides direction to managers and\n                     senior executives regarding the management and protection of\n                     sensitive systems. DHS Directive 4300A also outlines policies\n                     relating to the operational, technical, and management controls that\n                     are necessary for ensuring confidentiality, integrity, availability,\n                     authenticity, and nonrepudiation within the DHS IT infrastructure\n                     and operations. A companion document\xe2\x80\x94the DHS 4300A\n                     Sensitive Systems Handbook (DHS 4300A Handbook)\xe2\x80\x94provides\n                     detailed guidance on the implementation of these policies.\n\n                     DHS IT security policies are organized under management,\n                     operational, and technical controls. According to DHS Directive\n                     4300A, these controls are defined as follows:\n\n                              \xe2\x80\xa2 \t Operational Controls \xe2\x80\x93 Focus on mechanisms\n                                  primarily implemented and executed by people. These\n                                  controls are designed to improve the security of a\n                                  particular system, or group of systems. These controls\n                                  require technical or specialized expertise and often rely\n                                  on management and technical controls.\n\n                                                          **********\n\n                              \xe2\x80\xa2 \t Technical Controls \xe2\x80\x93 Focus on security controls\n                                  executed by IT systems. These controls provide\n                                  automated protection from unauthorized access or\n                                  misuse. They facilitate detection of security violations,\n                                  and support security requirements for applications and\n                                  data.\n\n                                                          **********\n\n                              \xe2\x80\xa2 \t Management Controls \xe2\x80\x93 Focus on managing both the\n                                  IT security system and system risk. These controls\n                                  consist of risk mitigation techniques and concerns\n                                  normally addressed by management.\n\n\n    Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                            Page 2\n\n\x0c                 Based on our internal analysis, we determined that this technical\n                 security evaluation should be performed at a DHS multicomponent\n                 location. Based on prior audit coverage of other DHS components,\n                 we focused on U. S. Citizenship and Immigration\n                 Services (USCIS) locations. Subsequently, we selected the Chet\n                 Holifield Federal Building (CHFB) located in Laguna Niguel,\n                 California, where the USCIS California Service Center and the\n                 USCIS Western Region field office are both located. While the\n                 U. S. Customs and Border Protection and U. S. Immigration and\n                 Customs Enforcement (ICE) also operated in this facility, their\n                 activities will be addressed in separate evaluation reports.\n\n\n\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 3\n\x0cResults of Review\n\n     Systems Did Not Comply Fully With DHS Operational\n     Control Requirements\n                      Some operational controls that USCIS implemented at CHFB did\n                      not conform to DHS policies; these included physical security, and\n                      environmental and business continuity controls. The business\n                      continuity deficiencies are particularly significant and place\n                      USCIS at risk of not being able to access IT assets and data when\n                      necessary. Collectively, the deficiencies identified below could\n                      place at risk the confidentiality, integrity, and availability of the\n                      data stored, transmitted, and processed by USCIS at CHFB.\n\n                      Physical Security Controls\n\n                      While USCIS has implemented some physical security access\n                      controls, including the use of badges, card readers, and locked\n                      entrances, physical security could be strengthened at their CHFB\n                      computer room. Examples of situations that need attention follow:\n\n                           \xe2\x80\xa2 \t USCIS needs more physical security controls to limit\n                               access to stored materials. Currently, once staff enter the\n                               controlled area, they have access to controlled paper,\n                               sensitive printouts, backup tapes, routers, printers, and\n                               servers and the telecommunications closet in the computer\n                               room. Figure 1 illustrates how printouts are not segregated\n                               and restricted, but are commonly placed on a table near the\n                               entrance to the computer room. Nearby, USCIS places\n                               daily backup tapes for couriers.\n\n\n\n\n                                        Figure 1: Computer Room printout desk\n\n\n     Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                             Page 4\n\n\x0c                     \xe2\x80\xa2 \t Server racks and telecommunication closets are left either\n                         unlocked or with the key in the lock. For example, a\n                         cabinet containing equipment owned by the Federal Bureau\n                         of Investigation (FBI) was closed, but the key was inserted\n                         in the lock. Anyone with access to the room had access to\n                         the FBI\xe2\x80\x99s router, as Figures 2 and 3 below show.\n\n\n\n\n                                   Figure 2: FBI router cabinet with key in door\n\n\n\n\n                                       Figure 3: Inside of FBI router cabinet\n\n                     \xe2\x80\xa2 \t A USCIS official said that the cyber locks for the\n                         telecommunications closets have not been changed in 3\n                         years. Using cyber locks that have not been changed on a\n\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 5\n\x0c                          regular basis could leave the USCIS IT assets vulnerable to\n                          loss, theft, destruction, sabotage, or compromise.\n\n                 The examples mentioned above increase the risk of unauthorized\n                 access to potentially sensitive information and accidental loss of\n                 power or damage to IT resources at CHFB.\n\n                 According to the DHS 4300A Handbook:\n\n                          To protect sensitive information and limit the damage that\n                          can result from accident, error, or unauthorized use, the\n                          principle of least privilege must be applied. The principle\n                          of least privilege requires that users be granted the most\n                          restrictive set of privileges (or lowest clearance) needed for\n                          performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                          to access only the system resources needed to fulfill their\n                          job responsibilities.\n\n                 Environmental Controls\n\n                 USCIS should maintain its environmental operational controls at\n                 proscribed levels by adjusting the heating, ventilation, and air\n                 conditioning (HVAC) temperature controls in the computer and\n                 telecommunications rooms, in accordance with agency guidance.\n                 This is especially a concern for the USCIS computer room, which\n                 had temperatures above 70 degrees in February. After we reported\n                 this information to USCIS, immediate action was taken to reset the\n                 air conditioning controls appropriately.\n\n                 Additionally, USCIS\xe2\x80\x99 communications equipment was also at risk\n                 of failure because of the absence of temperature or humidity\n                 sensors in the telecommunications closets.\n\n                 According to the DHS 4300A Handbook:\n\n                          Temperatures in computer storage areas should be held\n                          between 60 and 70 degrees Fahrenheit.\n\n                 The absence of temperature and humidity sensors and proper\n                 HVAC settings for IT equipment increases the risk that USCIS\xe2\x80\x99 IT\n                 assets may break down.\n\n\n\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 6\n\x0c                 Business Continuity\n\n                 USCIS\xe2\x80\x99 business continuity capability also needs to be improved at\n                 CHFB. We identified several issues involving USCIS resources in\n                 room 2102, including:\n\n                     \xe2\x80\xa2 \t An alternate process site has not been identified;\n                     \xe2\x80\xa2 \t There is no backup electrical generator to be used in case of\n                         a power failure;\n                     \xe2\x80\xa2 \t There is only one electrical conduit providing power to the\n                         USCIS server room;\n                     \xe2\x80\xa2 \t USCIS has not provided redundancy for several servers;\n                     \xe2\x80\xa2 \t Several servers are not being backed up;\n                     \xe2\x80\xa2 \t Several servers are not connected to a redundant power\n                         distribution unit; and\n                     \xe2\x80\xa2 \t One of the power distribution units is not connected to the\n                         emergency power-off switch.\n\n                 To give an example in detail, a power distribution unit\xe2\x80\x99s display\n                 was broken. However, USCIS could not shut this unit down to\n                 replace the display without shutting down some servers.\n                 Additionally, the need to connect all power distribution units to the\n                 emergency cut-off switch is related to USCIS\xe2\x80\x99 use of a water-based\n                 fire-suppression system. If all power distribution units are not\n                 connected to the emergency shut-off switch, the IT resources that\n                 are still receiving power when the sprinklers are activated are at\n                 increased risk of short circuit during a fire.\n\n                 Additionally, there is an increased risk from a hardware failure,\n                 e.g., a disk crash, could prevent USCIS employees from\n                 performing their assigned duties if servers are not backed up or\n                 have other redundant capabilities. Further, USCIS cannot ensure\n                 that its IT resources will be available when needed without backup\n                 generators and an alternate processing facility.\n\n                  According to the DHS 4300A Handbook:\n\n                          Care must be taken to ensure systems are designed with no\n                          single points of failure\xe2\x80\xa6DHS must have the capability to\n                          ensure continuity of essential functions under all\n                          circumstances.\n\n\n\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 7\n\x0c        Recommendations\n                 We recommend that the USCIS CIO take the following actions for\n                 USCIS activities at CHFB:\n\n                 Recommendation #1: Implement stronger physical security and\n                 environmental controls to protect USCIS\xe2\x80\x99 IT assets from possible\n                 loss, theft, destruction, accidental damage, hazardous conditions,\n                 fire, malicious actions, and natural disasters.\n\n                 Recommendation #2: Implement business continuity of\n                 operations capability for USCIS facilities at CHFB, including the\n                 installation of a backup power supply, the connection of all power\n                 distribution units to the emergency power-off control, and the\n                 elimination of single points of failure.\n\n        Management Comments and OIG Analysis\n                  We obtained written comments on a draft of this report from the\n                  USCIS CIO. We have included a copy of the comments in their\n                  entirety at Appendix B.\n\n                  In the comments, the CIO concurred with findings and\n                  recommendations one and two in our report. The CIO also stated\n                  that USCIS has a plan to improve operational and physical\n                  security for IT at CHFB. However, USCIS also stated that, \xe2\x80\x9cThe\n                  plan will be executed when funding is available.\xe2\x80\x9d This\n                  recommendation will be considered resolved but open pending\n                  verification of planned actions.\n\n                  The USCIS response to recommendation two discussed a\n                  Continuity of Operations plan to move processing to a\n                  \xe2\x80\x98devolution\xe2\x80\x99 site.\xe2\x80\x99 We expect the plan of action and milestones\n                  for this recommendation to include the establishment of a\n                  devolution agreement with the Vermont Service Center and\n                  testing of this capability. We also agree with USCIS that the\n                  establishment of an uninterruptible power supply is an issue that\n                  all the tenants in the CHFB facility should work to resolve.\n                  Finally, upon receiving these management comments, we again\n                  contacted the USCIS support staff in CHFB. They confirmed that\n                  one of the power distribution units is still not connected to the\n                  emergency cut-off switch. This recommendation will be\n                  considered resolved but open pending verification of planned\n                  actions.\n\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 8\n\x0c          Systems Did Not Comply Fully With DHS Technical Control\n          Requirements\n                            USCIS\xe2\x80\x99 implementation of technical controls did not conform to\n                            DHS policies involving configuration management of operating\n                            systems and their router, as well as password management\n                            requirements. These deficiencies increase the risk that USCIS IT\n                            systems used at CHFB are vulnerable to internal attacks.\n\n                            Operating System Configuration Management\n\n                            Unsupported operating systems were running on USCIS\xe2\x80\x99 servers at\n                            CHFB. Specifically, some USCIS servers were running a release\n                            of the Novell operating system that has not been supported by\n                            Novell since 2004. Other USCIS servers were running Microsoft\n                            Windows NT 4.0, which is no longer supported by Microsoft.\n                            Operating systems that are not supported by their vendors do not\n                            receive updates or \xe2\x80\x9cpatches\xe2\x80\x9d when a vulnerability or exploitation\n                            has been identified.\n\n                            Additionally, our technical scans identified USCIS servers with\n                            known vulnerabilities.1 For example, even though all DHS\n                            components were required by the DHS Computer Security Incident\n                            Response Center (CSIRC) to apply the patch MS06-040 by\n                            August 17, 2006, we identified 26 servers that were missing this\n                            patch.\n\n                            According to DHS Directive 4300A:\n\n                                     Components shall manage systems to reduce vulnerabilities\n                                     through vulnerability testing, promptly installing patches,\n                                     and eliminating or disabling unnecessary services, if\n                                     possible.\n\n                            According to the DHS 4300A Handbook:\n\n                                     DHS Components must have provisions for reacting\n                                     quickly as these critical patches are identified and released\n                                     by the DHS CSIRC.\n\n\n\n\n1\n    See Appendices C and D for an inventory of USCIS servers with known vulnerabilities.\n          Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                   Page 9\n\n\x0c                 Router Configuration Management Controls\n\n                 USCIS\xe2\x80\x99 router at CHFB is vulnerable to a wide range of attacks\n                 because they were running older versions of the Simple Network\n                 Management Protocol. Further, this router was not properly\n                 configured to prevent an \xe2\x80\x9cinsider\xe2\x80\x9d from gaining unauthorized\n                 privileges and information. For example, telnet was being used on\n                 the USCIS router. However, telnet does not encrypt login and\n                 password credentials. This may allow an attacker to capture login\n                 credentials and remotely take control of the router and change or\n                 delete configuration files.\n\n                 According to DHS Directive 4300A:\n\n                          Telnet shall not be used to connect to any DHS computer.\n                          A connection protocol such as Secure Shell (SSH) that\n                          employs secure authentication (two factor, encrypted, key\n                          exchange, etc.) and is approved by the Component shall be\n                          used instead.\n\n                 Password Management Requirements\n\n                 USCIS\xe2\x80\x99 password policies did not conform to DHS Directive\n                 4300A or were not consistently applied to all USCIS\xe2\x80\x99 servers.\n                 Specifically, the policies for password length, history, and age\n                 were not consistent on all USCIS servers. Additionally, there were\n                 accounts where the password had never been changed, or where\n                 the password would never expire.\n\n                 According to the DHS 4300A Handbook:\n\n                          Passwords are important because they are often the first\n                          line of defense against hackers or insiders who may be\n                          trying to obtain unauthorized access to a computer system\n                          \xe2\x80\xa6 Passwords shall be at least 8 characters in length [and]\n                          shall be changed or expire in 180 days or less.\n\n        Recommendations\n                 We recommend that the USCIS CIO take the following actions for\n                 USCIS activities at CHFB:\n\n                 Recommendation #3: Develop a migration plan to transition\n                 from unsupported operating systems to new systems for which\n                 DHS has a Secure Baseline Configuration Guide.\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 10\n\x0c                         Recommendation #4: Implement the password policy established\n                         by DHS directive 4300A.\n\n                         Recommendation #5: Use a connection protocol that employs\n                         secure authentication.\n\n                         Recommendation #6: Eliminate or disable unnecessary services\n                         from their servers.\n\n                         Recommendation #7: Develop a process for implementing\n                         identified patches in a timely fashion.\n\n                 Management Comments and OIG Analysis\n                          In the comments, the CIO concurred with these recommendations\n                          and also reported steps that USCIS has taken to resolve these\n                          issues. We believe that the actions that USCIS has taken and\n                          plans to take will resolve the reported issues. These\n                          recommendations will be considered resolved but open pending\n                          verification of reported actions.\n\n        Systems Did Not Comply Fully With DHS Management Control\n        Requirements\n                         USCIS\xe2\x80\x99 implementation of management controls at CHFB did not\n                         conform to DHS policies. Specifically, there are deficiencies in\n                         system accreditation, implementation of wireless devices, missing\n                         interconnection security agreements (ISA), and privacy\n                         compliance activities related to personal information.2 These\n                         management control deficiencies increase the risk to USCIS IT\n                         investments, systems, and data from new threats and vulnerabilities\n                         for which safeguards have not been implemented.\n\n\n\n\n2\n Laws that govern DHS' use of personal information include the Homeland Security Act of 2002, \xc2\xa7 222,\n6 U.S.C. \xc2\xa7 142; the Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a; and the E-Government Act of 2002, \xc2\xa7 208,\n44 U.S.C. \xc2\xa7 3501 note.\n         Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                               Page 11\n\n\x0c                          System Accreditation Deficiencies\n\n                          USCIS currently is using 21 systems at CHFB.3 However, only 7\n                          of the 21 (33%) are currently authorized to operate.4 The\n                          authorization to operate has expired for nine (43%) systems and\n                          USCIS has not started the accreditation process for the remaining\n                          five (24%) systems. See Figure 4 below.\n\n\n                                                     Accreditiation Status\n\n                                               for USCIS Systems In Use at the\n\n                                                Chet Holifield Federal Building\n\n\n                                                                  24%\n                                                                                         Not Started\n\n                                        43%                                              Authorized to\n                                                                                         Operate\n                                                                                         Expired\n\n                                                                33%\n                                                            Figure 4\n\n                          Additionally, 3 of the 7 (43%) systems that are authorized to\n                          operate have expired risk assessments. USCIS Designated\n                          Accrediting Authorities (DAA) cannot determine if security\n                          controls for USCIS systems and data are adequate unless risk\n                          assessments are performed regularly.\n\n\n\n\n3\n  An additional system, the Laguna Administrative Center, is currently in the USCIS TA-FISMA Inventory. \n\nHowever, this system was not included in this report\xe2\x80\x99s inventory because ICE and USCIS are in the process \n\nof determining who has responsibility for this system. \n\n4\n  See Appendix E, Accreditation and Risk Assessment Status for USCIS Systems, for details. \n\n         Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                Page 12\n\n\x0c                          According to DHS Directive 4300A:\n\n                                   Components shall conduct risk assessments whenever\n                                   significant changes to the system configuration or to the\n                                   operational/threat environment have been made, or every 3\n                                   years, whichever occurs first.\n\n                          Further, USCIS management cannot be assured that IT systems\n                          and data are adequately secured unless the various activities\n                          leading to accreditation are performed and the DAA has accepted\n                          in writing the risks associated with operating the systems.\n\n                          According to DHS 4300A Handbook:\n\n                                   The initial Risk Assessment is updated and revised and\n                                   becomes the final Risk Assessment as part of the overall\n                                   accreditation process after the controls are implemented\n                                   and tested and the results/corrective actions are\n                                   implemented. Through the development of the final Risk\n                                   Assessment, the definition of the program residual risk can\n                                   be determined for the DAA\xe2\x80\x99s acceptance during\n                                   accreditation.\n\n                          We also identified four additional IT resources that USCIS had not\n                          previously included in the DHS\xe2\x80\x99 Trusted Agent FISMA\n                          (TA-FISMA) reporting tool.5 Staff from USCIS and the office of\n                          the DHS Chief Information Security Officer (CISO) are in the\n                          process of determining if these IT resources should be part of the\n                          accreditation process. 6 IT resources that are not included in the\n                          accreditation process may not be adequately secured, increasing\n                          the risk to USCIS systems and data.\n\n                          According to DHS 4300A Handbook:\n\n                                   For operational systems, the DAA makes a risk-based\n                                   decision either to grant full authorization to operate or\n                                   deny authorization to operate.\n\n\n\n\n5\n  DHS uses an enterprise management tool, Trusted Agent FISMA, to collect and track data related to all\nPlans of Action and Milestones, including self-assessments, and certification and accreditation data.\n6\n  See Appendix F, USCIS IT Resources In Use But Not Included In Trusted Agent-FISMA, for names of\nthese IT resources.\n         Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                 Page 13\n\n\x0c                 Misconfigured Wireless Devices\n\n                 USCIS\xe2\x80\x99 onsite implementation of management controls at CHFB\n                 did not ensure that its wireless devices were properly configured.\n                 Specifically, wireless keyboards and mice were attached to devices\n                 belonging to the Western Region Office, which is one of the IT\n                 Resources not in TA-FISMA. These wireless devices were\n                 running Wired Equivalent Privacy, which is the oldest version of\n                 the wireless security protocol. This security protocol version is\n                 vulnerable to both replay attacks and integrity violations.\n\n                 According to the DHS 4300A Handbook Attachment Q1, Sensitive\n                 Wireless Systems:\n\n                          [Wireless Local Area Network] WLAN systems should meet\n                          the Wi-Fi Alliance Wireless Protected Access 2 (WPA2)\n                          interoperability standard that is based on the Institute for\n                          Electrical and Electronics Engineers (IEEE) 802.11i\n                          security standard.\n\n                 Missing Interconnection Security Agreements\n\n                 During our fieldwork, we documented several interconnections\n                 between USCIS systems and systems operated by other agencies\n                 and DHS components. USCIS agrees that the required\n                 interconnection security agreements for these systems exist, but\n                 they were unable to provide them. Specifically, interconnection\n                 security agreements should be established and maintained for\n                 connections between the USCIS California Service Center Local\n                 Area Network and the following:\n\n                     \xe2\x80\xa2 \t The DHS OneNet,\n                     \xe2\x80\xa2 \t The U. S. Coast Guard Marine Information for Safety and\n                         Law Enforcement,\n                     \xe2\x80\xa2 \t Department of Justice mainframe legacy applications,\n                     \xe2\x80\xa2 \t The Executive Office of Immigration Review \xe2\x80\x93 Court\n                         Inquiry information system,\n                     \xe2\x80\xa2 \t The FBI Integrated Automated Fingerprint Information\n                         Systems,\n                     \xe2\x80\xa2 \t The State Department\xe2\x80\x99s Integrated Visa Allocation\n\n                         Management System, and \n\n                     \xe2\x80\xa2 \t The Pitney Bowes mail information database.\n\n                 Additionally, USCIS should have interconnection security\n                 agreements with ICE for IT and telecommunication services.\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 14\n\x0c                          By not establishing and maintaining interconnection security\n                          agreements, USCIS may not be aware of new threats or\n                          vulnerabilities to the confidentiality, integrity, and availability of\n                          its systems and data.\n\n                          According to the DHS 4300A Handbook:\n\n                                  Components shall document interconnections with other\n                                  external networks with an Interconnection Security\n                                  Agreement (ISA). Interconnections between DHS\n                                  Components shall require an ISA when there is a difference\n                                  in the security categorizations for confidentiality, integrity,\n                                  and availability for the two networks. ISAs shall be signed\n                                  by both DAAs or by the official designated by the DAA to\n                                  have signatory authority.\n\n                                                              **********\n\n                                  ISAs shall be reissued every three years or whenever any\n                                  significant changes have been made to any of the\n                                  interconnected systems\xe2\x80\xa6ISAs shall be reviewed as a part\n                                  of the annual FISMA self-assessment.\n\n                          Incomplete Privacy Compliance Activities\n\n                          USCIS had not completed all privacy compliance activities for\n                          USCIS systems in use at CHFB. Specifically, only 3 of 21 (14%)\n                          of USCIS systems in TA-FISMA have completed all required\n                          privacy compliance activities.7 Further, the Department has\n                          validated only 1 of the 16 (6%) Privacy Impact Assessments (PIA)\n                          known to be required for these systems. One of the systems\n                          without a PIA is the Offshore Migrant Information Tracking\n                          System. This system, which contains actual data, is listed in\n                          TA-FISMA as a \xe2\x80\x98Developmental\xe2\x80\x99 system.\n\n                          According to the DHS Privacy Office\xe2\x80\x99s Privacy Impact\n                          Assessments Official Guidance:\n\n                                  The PIA requirement does not provide an exemption for\n                                  pilot testing a program or system. If a PIA is ultimately\n                                  required for a system, any pilot of that system must have\n                                  the PIA completed prior to the pilot launch. This applies\n                                  even if the pilot initially plans to use anonymous data but\n\n7\n See Appendix G, Status of Privacy Act Related Activities for USCIS Systems in Use at the Chet Holifield\nFederal Building, for detailed information on incomplete Privacy Act activities.\n         Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                Page 15\n\n\x0c                                  will use personally identifiable information as it moves out\n                                  of pilot.\n\n                         Additionally, while the department has issued three new public\n                         notices for systems in use at the CHFB, there are three other legacy\n                         System of Records Notices that no longer accurately report the\n                         owners of the systems.8\n\n                         USCIS and DHS Privacy Office officials have told us that the\n                         Savings Provision of the Homeland Security Act of 2002 allows\n                         DHS to rely on legacy system of records notices.9\n\n                 Recommendations\n                         We recommend that the USCIS CIO take the following actions for\n                         USCIS activities at CHFB:\n\n                         Recommendation #8: Complete the activities required to accredit\n                         and authorize IT systems that are in use at CHFB.\n\n                         Recommendation #9: Properly configure wireless devices prior\n                         to installation.\n\n                         Recommendation #10: Establish and maintain the required\n                         interconnection security agreements.\n\n                         Recommendation #11: Complete privacy impact assessments and\n                         publish updated System of Records Notices as needed for systems\n                         in use at CHFB.\n\n                 Management Comments and OIG Analysis\n                          In the comments, the CIO concurred with these recommendations\n                          and also reported steps that USCIS has taken to resolve these\n                          issues. Regarding recommendation eight, USCIS stated that all\n                          systems were authorized to operate. However, a review of\n                          TA-FISMA showed that the systems that were not authorized to\n\n8\n  The three legacy Systems of Records Notices are Justice/INS-013, CLAIMS 3/4 (67 FR 64132), \n\nJustice/INS-031 RNACS (67 FR 20996), and DOT/CG 679 MISLE (67 FR 19612).\n\n9\n  According to the Homeland Security Act of 2002, Section 1512, Savings Provision:\n\n\n        (a) COMPLETED ADMINISTRATIVE ACTIONS. \xe2\x80\x94(1) Completed administrative actions of an\n        agency shall not be affected by the enactment of this Act or the transfer of such agency to the\n        Department, but shall continue in effect according to their terms until amended, modified,\n        superseded, terminated, set aside, or revoked in accordance with law by an officer of the United\n        States or a court of competent jurisdiction, or by operation of law.\n        Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                                Page 16\n\x0c                  operate during our fieldwork have now been authorized to operate\n                  even though the required certification package has not been\n                  completed or the Privacy Impact Assessment has not been\n                  performed. We have updated the table in Appendix E to reflect\n                  actions that USCIS has taken.\n\n                  Additionally, USCIS reported that APPLES and CASE Status\n                  Online were subsystems of CLAIMS 3 LAN. However, a review\n                  of TA-FISMA screens, and two CLAIMS 3 LAN artifacts did not\n                  list these as subsystems. Separately, USCIS reported that the\n                  Western Regional Office is in TA-FISMA. We are aware that\n                  USCIS changed the name of the \xe2\x80\x98Administrative Center Laguna\xe2\x80\x99\n                  to \xe2\x80\x98Western Regional Office\xe2\x80\x99 in TA-FISMA in August 2007.\n                  However, USCIS has not updated all the TA-FISMA artifacts to\n                  reflect this change. Recommendation eight will be considered\n                  resolved but open pending verification of planned actions.\n\n                  In addition to their written comments, USCIS staff also informed\n                  us that the new Information Systems Security Officer for the\n                  Western Regional Office removed the non-compliant wireless\n                  keyboards and mice. Recommendation nine will be considered\n                  resolved but open pending verification of planned actions.\n\n                  USICS also agreed with recommendations 10 and 11. These\n                  recommendations will be considered resolved but open pending\n                  verification of planned actions\n\n\n\n\nTechnical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                        Page 17\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\nPurpose, Scope, and Methodology\n                             This review is part of a program to evaluate, on an ongoing basis,\n                             the implementation of DHS technical and information security\n                             policies and procedures at DHS sites. The objective of this\n                             program is to determine the extent to which critical DHS sites\n                             comply with the department\xe2\x80\x99s technical and information security\n                             policies and procedures, according to DHS Directive 4300A and its\n                             companion document, the DHS 4300A Handbook.\n\n                             We coordinated the implementation of this technical security\n                             evaluation program with the DHS CISO. We mutually agreed to\n                             the wording for the Rules of Behavior for the technical testing.10\n                             Our entrance and exit conferences were held with USCIS officials\n                             at the Office of Information Technology in Washington, DC, and\n                             by telephone with CHFB OIT officials.\n\n                             Technical evaluations were performed only after the DHS CISO\n                             and USCIS agreed to our negotiated Rules of Behavior. These\n                             technical evaluations included\n                                    \xe2\x80\xa2 \t Security scans of the servers using various software\n                                        packages, and\n                                    \xe2\x80\xa2 \t Scans to determine whether wireless devices were\n                                        being used by DHS components.\n\n                             We reviewed applicable DHS and USCIS policies and procedures\n                             and USCIS\xe2\x80\x99 responses to our site surveys and technical\n                             questionnaires. Prior to performing our onsite review, we used\n                             USCIS\xe2\x80\x99 responses to identify occupied space, server rooms, and\n                             telecommunications closets. Our onsite review included a physical\n                             review of USCIS space and interviews with USCIS staff. Our\n                             technical review included onsite reviews of server security policies\n                             as well as scans for DHS wireless devices operating at CHFB.\n                             Additionally, we reviewed guidance provided by DHS to the\n                             components in the areas of patch management, operation systems,\n                             and wireless security.\n\n                             We provided USCIS with briefings concerning the results of\n                             fieldwork and the information summarized in this report. We\n                             conducted this review between February and July 2007.\n\n\n\n\n10\n     The Rules of Behavior established the boundaries and schedules for the technical evaluations.\n           Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                   Page 18\n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                       We performed our work according to the Quality Standards for\n                       Inspection of the President\xe2\x80\x99s Council on Integrity and Efficiency\n                       and pursuant to the Inspector General Act of 1978, as amended.\n\n                       We appreciate the efforts by DHS management and staff to provide\n                       the information and access necessary to accomplish this review.\n                       Our points of contact for this report are Frank Deffer, Assistant\n                       Inspector General for Information Technology, (202) 254-4100,\n                       and Roger Dressler, Director for Information Systems and\n                       Architectures, (202) 254-5441. Major OIG contributors to the\n                       review are identified in Appendix H.\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                              Page 19\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments to the Draft Report\n\n\nManagement\xe2\x80\x99s Comments to the Draft Report \n\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                              Page 20\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments to the Draft Report\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 21\n\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments to the Draft Report\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 22\n\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments to the Draft Report\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 23\n\n\x0cAppendix C\nUSCIS Novell Servers with Known Vulnerabilities\n\n\nUSCIS Novell Servers with Known Vulnerabilities \n\n                            Vulnerability                             Number of USCIS\n                                                                          Servers\n                                                                     At CHFB With This\n                                                                        Vulnerability\n         The Lightweight Directory Access Protocol \xe2\x80\x93                         1\n         a Null bind entry that allows a user to access\n         this protocol anonymously to view files on\n         the protocol directory.\n         It is possible to guess the community name of                           1\n         the remote Simple Network Management\n         Protocol.\n         An attacker could access the Lightweight                                1\n         Directory Access Protocol schema to gain\n         information about this protocol server.\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 24\n\n\x0cAppendix D\nUSCIS Windows Servers with Known Vulnerabilities\n\n\nUSCIS Windows Servers with Known Vulnerabilities \n\n                                                                              Number of USCIS\n                                 Vulnerability                                Servers at CHFB\n                                                                                 With This\n                                                                                Vulnerability\n         Messenger service is a security hazard \xe2\x80\x93 this service                        1\n         may be used to commit a denial of service attack or\n         social engineer on the network.\n         Arbitrary code can be executed on the remote host due                           9\n         to a flaw in the Local Security Authority Server\n         Service. This may allow an attacker to execute\n         arbitrary code on the remote host with system\n         privileges.\n         The scanning tool was able to enumerate the network                             1\n         share names by connecting the remote host using a\n         Null or guest session. This can allow an attacker the\n         ability to escalate privileges as well as provide the\n         location of critical files.\n         The Secure Sockets Layer certificate on the remote                              1\n         service expired. This means that the remote\n         management cannot guarantee the validity of the\n         certificate being accepted.\n         Vulnerability exists in the Microsoft Abstract Syntax                           9\n         Notation One library that could allow code execution\n         on an affected system.\n         Buffer overflow vulnerability exists within Microsoft                          26\n         Server Service Remote Code Execution, which may\n         allow for a remote, anonymous attacker to execute\n         arbitrary code on a host.\n         Microsoft SQL System Administrator account was not                              2\n         password protected. This means that a remote attacker\n         can log into the SQL server with administrative\n         privileges.\n         A Null session occurs when an attacker sends a blank                           20\n         username and blank password to try to connect to the\n         Inter Process Communications and then an attacker is\n         able to gain a list of user names, shares, and other\n         sensitive information.\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 25\n\n\x0cAppendix D\nUSCIS Windows Servers with Known Vulnerabilities\n\n\n\n                                                                              Number of USCIS\n                                 Vulnerability                                Servers at CHFB\n                                                                                 With This\n                                                                                Vulnerability\n         An unspecified remote code execution exists in the                           7\n         Simple Network Management Protocol service that\n         could allow an attacker to take complete control of the\n         affected system.\n         Account locked out \xe2\x80\x93 users account has been locked                              4\n         out due to an excessive number of incorrect login\n         attempts. This may indicate that an attacker is trying to\n         guess the account\xe2\x80\x99s password through brute force.\n         Anonymous File Transfer Protocol is enabled. Access                             3\n         to this protocol can lead to attacker gaining information\n         about the system that can possibly allow the attacker to\n         gain access to the system.\n         Buffer overflow exists within Microsoft\xe2\x80\x99s Network                               1\n         Connection Manage, which may allow an attacker to\n         send a specially crafted request to a vulnerable host to\n         cause denial of service.\n         Symantec pcAnywhere weak encryption allowed. This                               1\n         service provides connectivity to Microsoft Windows\n         system. PcAnywhere can be configured to allow\n         remote access without encryption or with a weak\n         proprietary encryption scheme.\n         A user account was detected with no required                                    2\n         password. This allows an attacker unauthorized access,\n         including the ability to take over and replace processes,\n         and access other computers on the network.\n         It is possible to make the remote File Transfer Protocol                        1\n         server crash by sending the command\n         \xe2\x80\x98STAT*?AAA\xe2\x80\xa6AAA. An attacker may use this flaw\n         to prevent a system from distributing files.\n         It is possible to anonymously read the event logs of the                        1\n         remote Windows 2000. An attacker may use this flaw\n         to anonymously read the system logs of the remote\n         host.\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 26\n\n\x0cAppendix D\nUSCIS Windows Servers with Known Vulnerabilities\n\n\n\n                                                                              Number of USCIS\n                                 Vulnerability                                Servers at CHFB\n                                                                                 With This\n                                                                                Vulnerability\n         The Citrix server is configured in a way that may allow                      8\n         an external attacker to enumerate remote services.\n         The echo service was detected as running. This service                          1\n         uses port 7/tcp and can be spoofed into sending data\n         from service on one computer to service on another\n         computer.\n         The service \xe2\x80\x9cRouted,\xe2\x80\x9d was active on the server\xe2\x80\x99s router                         1\n         port. This service uses port 520/tcp or an application\n         using routing information protocol, which provides to\n         an attacker a host\xe2\x80\x99s routing information.\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 27\n\n\x0cAppendix E\nCertification and Accreditation Status\n\n  Green: Authorized to      Yellow: Authorization had expired       Red: Authorization work has\n  Operate (during           (during fieldwork)                      not started\n  fieldwork)\n\n\n\nCertification and Accreditation Status \n\nTA-FISMA            System Name                  Risk             Accreditation          Current\n Identifier                                   Assessment             Status            Accreditation\n                                                Status                                    Status\nCIS-00054       Benefits Biometrics           Completed         Authorized to              ATO\nMAJ-00054       Support System                                  Operate (ATO)\n                (BBSS)\nCIS-00057       Citizenship and               Completed                ATO                  ATO\nMAJ-00057       Immigration\n                Service Centralized\n                Oracle Repository\n                (CISCOR)\nCIS-00081       National File                 Completed                ATO                  ATO\nMAJ-00081       Tracking System\n                (NFTS)\nCIS-00087       Scheduling and                Completed                ATO                  ATO\nMAJ-00087       Notification of\n                Applicants for\n                Processing (SNAP)\nCIS-00084       RAFACS - Receipt                Expired                ATO                  ATO\nMAJ-00084       and Alien File\n                Accountability and\n                Control System,\n                Version 2.9\nCIS-00085       Reengineered                    Expired                ATO                  ATO\nMAJ-00085       Naturalization\n                Application\n                Casework System\n                (RNACS)\nCIS-00086       Refugee, Asylum,                Expired                ATO                  ATO\nMAJ-00086       and Parole System\n                (RAPS)\n\n\n\n\n       Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                               Page 28\n\n\x0cAppendix E\nCertification and Accreditation Status\n\n  Green: Authorized to      Yellow: Authorization had expired       Red: Authorization work has\n  Operate (during           (during fieldwork)                      not started\n  fieldwork)\n\n\n\n\nTA-FISMA            System Name                  Risk             Accreditation          Current\n Identifier                                   Assessment             Status            Accreditation\n                                                Status                                    Status\nCIS-00073       Integrated Card               Completed              Expired           ATO signed\nMAJ-00073       Production System                                                      on 7/30/2007\n                (ICPS) (formerly                                                          without\n                Integrated                                                               complete\n                Document                                                               certification\n                Production (IDP)).                                                       package\n                Subsystem:\n                National Production\n                Results (NPR)\nCIS-00109       Fraud Detection               Completed              Expired           ATO signed\nMAJ-00109       and National                                                           on 7/30/2007\n                Security Data                                                            without\n                System (FDNS DS)                                                        complete\n                                                                                       certification\n                                                                                         package\nCIS-00056       Alien File/Central              Expired              Expired           ATO signed\nMAJ-00056       Index System (A-                                                       on 7/30/2007\n                File/CIS)                                                                without\n                                                                                        complete\n                                                                                       certification\n                                                                                         package\nCIS-00058       CLAIMS 3                        Expired              Expired           ATO signed\nMAJ-00058       Mainframe -                                                            on 7/31/2007\n                Computer Linked                                                          without\n                Application                                                             complete\n                Information                                                            certification\n                Management                                                               package\n                System Mainframe\nCIS-00059       CLAIMS3 LAN -                   Expired              Expired           ATO signed\nMAJ-00059       Computer Linked                                                        on 8/01/2007\n                Application                                                              without\n                Information                                                             complete\n                Management                                                             certification\n                System 3 LAN.                                                            package\n\n\n\n\n       Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                               Page 29\n\n\x0cAppendix E\nCertification and Accreditation Status\n\n     Green: Authorized to    Yellow: Authorization had expired     Red: Authorization work has\n     Operate (during         (during fieldwork)                    not started\n     fieldwork)\n\n\n\n\nTA-FISMA             System Name                 Risk            Accreditation         Current\n Identifier                                   Assessment            Status           Accreditation\n                                                Status                                   Status\nCIS-00060        CLAIMS4                       Expired               Expired         ATO signed\nMAJ-00060        Computer Linked                                                     on 7/30/2007\n                 Application                                                            without\n                 Information                                                           complete\n                 Management                                                          certification\n                 System 4                                                              package\nCIS-00062        Customer                       Expired              Expired         ATO signed\nMAJ-00062        Relationship                                                        on 7/31/2007\n                 Interface System                                                       without\n                 (CRIS)                                                                complete\n                                                                                     certification\n                                                                                       package\nCIS-00092        California Service             Expired              Expired         ATO signed\nGSS-00092        Center (CSC).                                                       on 7/30/2007\n                                                                                        without\n                                                                                       complete\n                                                                                     certification\n                                                                                       package\nCIS-00064        Electronic Filing            In Progress            Expired          Two year\nMAJ-00064        System (E Filing)                                                   ATO signed\n                                                                                     on 7/31/2007\n                                                                                      without a\n                                                                                      validated\n                                                                                        Privacy\n                                                                                        Impact\n                                                                                     Assessment11\nCIS-00153        Alien Change of              Completed           Not Started        ATO signed\nMAJ-00153        Address (AR-11)                                                     on 7/30/2007\n                                                                                        without\n                                                                                       complete\n                                                                                     certification\n                                                                                       package\n\n\n\n\n11\n  According to the DHS 4300A Handbook, interim authorizations to operate are only allowed for systems\nin development testing and prototype systems.\n         Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                               Page 30\n\x0cAppendix E\nCertification and Accreditation Status\n\n  Green: Authorized to      Yellow: Authorization had expired       Red: Authorization work has\n  Operate (during           (during fieldwork)                      not started\n  fieldwork)\n\n\n\n\nTA-FISMA            System Name                  Risk             Accreditation          Current\n Identifier                                   Assessment             Status            Accreditation\n                                                Status                                    Status\nCIS-03370       Offshore Migrant              Not Started          Not Started          Not Started\nMAJ-03370       Information\n                Tracking System\n                (OMITS)\n(Not in TA      Automated\nFISMA)          Premium Process\n                LAN E-Mail System\n                (APPLES)\n(Not in TA      CASE Status Online\nFISMA)\n(Not in TA      Center Activity\nFISMA)          Tracking System\n                (CATS)\n\n\n\n\n       Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                               Page 31\n\n\x0cAppendix F\nUSCIS IT Resources in Use but Not Included in Trusted Agent FISMA\n\n\nUSCIS IT Resources in Use but Not Included in Trusted Agent\nFISMA\n\n                                            IT Resource Name\n                 CIS Training calendar\n                 Project Aware\n                 CIS Western Region Office12\n                 Enterprise Digital Mail Meter System\n\n\n\n\n12\n     USCIS has created an entry in TA-FISMA for this system but has not updated all the associated artifacts.\n          Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                    Page 32\n\n\x0cAppendix G\nStatus of Privacy Compliance Activities for USCIS Systems\n\n  Green: In                 Yellow: DHS work has been              Red: DHS work has not\n  compliance.               started.                               started.\n\n\n\nStatus of Privacy Compliance Activities for USCIS Systems \n\n TA-FISMA            System Name            Privacy        Privacy       Has the Privacy       Applicable\n  Number                                   Threshold       Impact             Impact            System of\n                                            Analysis      Assessment       Assessment         Record Notice\n                                             (PTA)          (PIA)           (PIA) Been        According to\n                                                          Required?      Submitted to the     DHS Privacy\n                                                                           DHS Privacy           Office\n                                                                             Office for\n                                                                           Validation?\nCIS-00056       Alien File/Central        PTA              PIA           Yes. Reviewed        DHS-USCIS\nMAJ-00056       Index System (A-          completed       required       and Approved.        001 A-File \xe2\x80\x93\n                File/CIS)                                                                     CIS\n                                                                                              (72 FR 1755)\n                                                                                              (Supersedes:\n                                                                                              Justice/INS\n                                                                                              001A)\nCIS-00092       California Service        PTA             No PIA         NA                   NA\nGSS-00092       Center (CSC).             Completed       required\n\n\nCIS-00081       National File Tracking    PTA              No PIA is     NA                   DHS-USCIS\nMAJ-00081       System (NFTS)             Completed       required                            001 A-File \xe2\x80\x93\n                                                                                              CIS\n                                                                                              (72 FR 1755)\nCIS-03370       Offshore Migrant          PTA              PIA           No                   DOT/CG 679\nMAJ-03370       Information Tracking      completed       required                            MISLE\n                System (OMITS)                                                                (67 FR 19612)\n\nCIS-00153       Alien Change of           PTA              PIA           No                   Justice/INS\nMAJ-00153       Address (AR-11)           completed       required                            013,\n                                                                                              CLAIMS 3/4\n                                                                                              (67 FR 64132)\nCIS-00109       Fraud Detection and       PTA              PIA           PIA is in            Justice/INS\nMAJ-00109       National Security Data    Complete        required       progress for         013,\n                System (FDNS DS)                                         FDNS DS              CLAIMS 3/4\n                                                                                              (67 FR 64132)\nCIS-00087       Scheduling and            PTA             PIA            No                   Justice/INS\nMAJ-00087       Notification of           completed       required,                           013,\n                Applicants for                            covered by                          CLAIMS 3/4\n                Processing (SNAP)                         CLAIMS 3                            (67 FR 64132)\nCIS-00086       Refugee, Asylum, and      PTA              PIA           No                   DHS-USCIS\nMAJ-00086       Parole System (RAPS)      completed       required                            001 A-File -\n                                                                                              CIS\n                                                                                              (72 FR 1755)\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 33\n\n\x0cAppendix G\nStatus of Privacy Compliance Activities for USCIS Systems\n\n    Green: In                 Yellow: DHS work has been               Red: DHS work has not\n    compliance.               started.                                started.\n\n\n\n  TAF                 System Name               Privacy       Privacy        Has the Privacy          Applicable\n Number                                        Threshold       Impact       Impact Assessment          System of\n                                                Analysis     Assessment         (PIA) Been           Record Notice\n                                                 (PTA)          (PIA)        Submitted to the        According to\n                                                             Required?        DHS Privacy            DHS Privacy\n                                                                            Office for Review?          Office\n\nCIS-00085     Reengineered                    PTA             PIA           No                       Justice/INS\nMAJ-00085     Naturalization Application      completed      required                                031 RNACS\n              Casework System (RNACS)                                                                (67 FR 20996)\nCIS-00084     RAFACS - Receipt and            PTA             PIA           No                       Justice/INS\nMAJ-00084     Alien File Accountability       completed      required                                013,\n              and Control System, V 2.9                                                              CLAIMS 3/4\n                                                                                                     (67 FR 64132)\nCIS-00073     Integrated Card                 PTA             PIA           No                       Justice/INS\nMAJ-00073     Production System (ICPS)        completed      required                                013,\n              (formerly Integrated                                                                   CLAIMS 3/4\n              Document Production                                                                    (67 FR 64132)\n              (IDP)).\nCIS-00062     Customer Relationship           PTA             PIA           No                       Justice/INS\nMAJ-00062     Interface System (CRIS)         completed      required                                013,\n                                                                                                     CLAIMS 3/4\n                                                                                                     (67 FR 64132)\nCIS-00060     CLAIMS4 - Computer              PTA             PIA           No                       Justice/INS\nMAJ-00060     Linked Application              completed      required                                013,\n              Information Management                                                                 CLAIMS 3/4\n              System 4                                                                               (67 FR 64132)\nCIS-00059     CLAIMS3 LAN                     PTA             PIA           No                       Justice/INS\nMAJ-00059     Computer Linked                 completed      required.                               013,\n              Application Information                                                                CLAIMS 3/4\n              Management System 3                            PIA being                               (67 FR 64132)\n              LAN.                                           drafted.\nCIS-00058     CLAIMS 3 Mainframe -            PTA             PIA           No                       Justice/INS\nMAJ-00058     Computer Linked                 completed      required                                013,\n              Application Information                                                                CLAIMS 3/4\n              Management System                                                                      (67 FR 64132)\n              Mainframe\nCIS-00057     Citizenship and                 PTA            PIA            No                       Justice/INS\nMAJ-00057     Immigration Service             completed      required,                               013,\n              Centralized Oracle                             covered by                              CLAIMS 3/4\n              Repository (CISCOR)                            CLAIMS 3                                (67 FR 64132)\nCIS-00054     Benefits Biometrics             PTA            PIA             *                       DHS/USCIS\nMAJ-00054     Support System (BBSS)           completed      required                                003 BSS\n                                                                                                     (72 FR 17172)\n* DHS has not provided the Privacy Impact Assessment for this system.\n\n\n\n\n         Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                                 Page 34\n\n\x0cAppendix G\nStatus of Privacy Compliance Activities for USCIS Systems\n\n   Green: In                Yellow: DHS work has been               Red: DHS work has not\n   compliance.              started.                                started.\n\n\n  TAF               System Name               Privacy       Privacy        Has the Privacy          Applicable\n Number                                      Threshold       Impact       Impact Assessment          System of\n                                              Analysis     Assessment         (PIA) Been           Record Notice\n                                               (PTA)          (PIA)        Submitted to the        According to\n                                                           Required?        DHS Privacy            DHS Privacy\n                                                                          Office for Review?          Office\n\nCIS-00064   Electronic Filing System (E     PTA             PIA            PIA not yet             Justice/INS\nMAJ-00064   Filing)                         completed      required       validated.               013,\n                                                                                                   CLAIMS 3/4\n                                                                                                   (67 FR 64132)\n            APPLES- Automated               PTA not\n            Premium Process LAN E-          received as\n            Mail System                     of 6/6/07\n            CASE System Online              PTA not\n                                            received as\n                                            of 6/6/07\n            CATS \xe2\x80\x93 Center Activity          PTA not                                                May be\n            Track System                    received as                                            covered by\n                                            of 6/6/07                                              Justice/INS\n                                                                                                   013,\n                                                                                                   CLAIMS 3/4\n                                                                                                   (67 FR 64132)\n\n\n\n\n       Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                               Page 35\n\n\x0cAppendix H\nMajor Contributors to This Report\n\n\n\n                       Roger Dressler, Director, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Kevin Burke, Audit Manager, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Beverly Dale, Senior Auditor, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Domingo Alvarez, Senior Auditor, Department of Homeland\n                       Security, Information Technology Audits\n\n                       Matthew Worner, Senior Program Analyst, Department of\n                       Homeland Security, Information Technology Audits\n\n                       Basil Marcus Badley, Technical Evaluator, Department of\n                       Homeland Security, Information Technology Audits\n\n                       Syrita Morgan, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Samer El-Hage, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Meghan Sanborn, Referencer, Department of Homeland Security,\n                       Information Technology Audits\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n\n                                              Page 36\n\n\x0cAppendix I\nReport Distribution\n\n\n\n                       Department of Homeland Security\n\n                       Secretary\n                       Deputy Secretary\n                       Chief of Staff\n                       Deputy Chief of Staff\n                       General Counsel\n                       Executive Secretary\n                       Under Secretary, Management\n                       Director, USCIS\n                       Assistant Secretary for Policy\n                       Assistant Secretary for Public Affairs\n                       Assistant Secretary for Legislative Affairs\n                       Chief Information Officer\n                       Deputy Chief Information Officer\n                       Chief Privacy Officer\n                       Chief Information Security Officer\n                       Information Systems Security Manager, USCIS\n                       DHS Audit Liaison\n                       USCIS Audit Liaison\n\n                       Office of Management and Budget\n\n                       Chief, Homeland Security Branch\n                       DHS OIG Budget Examiner\n\n                       Congress\n\n                       Congressional Oversight and Appropriations Committees, as\n                       appropriate\n\n\n\n\n      Technical Security Evaluation of USCIS Activities at the Chet Holifield Federal Building\n\n                                              Page 37\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, call the Office of Inspector General (OIG) at\n(202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web site at\nwww.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"